(U//FOUO) Net Defense 
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Increment 3 Requirement 



SYSREQ10322.2 

(S//REL) TURMOIL shall reinject decrypted 
IP traffic into BLUESNORT for malicious 

network activity detection. 
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Three-Feather Solution 

GALLANTWAVE application 
. Same module supports NetDef and SIGINT 
. Supports dynamic update of targeting via UTT 
. Supports static target updates 

GALLANTWAVE Reinjection application 
- Same module supports NetDef and SIGINT 
Supports re-injection of decrypt into TURMOIL for detection by BLUESNORT 

BLUESNORT in Stage 1 Prime application 
Emits events off decrypted, re -packed zed, reinjected data 
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HIGH Level Data Flow 

Net Defense and SIGINT sites 




TIPS (Bluesnort Events) 
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Status 

Running on MHS DEV ESO T5 and T22 

Transform, Reinjection, Signature Hits 
confirmed 

Signatures need further development 
to produce true hits vs. false positives 

NTOC POC reviewing XKS hits to 
generate new signatures. 
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Issues/Risks 

CA Servers at Net Defense Sites 

a, ITx Connectivity to LONGHAUL 

b, NTOC requires stand-up of separate dev and live ITx fabric 

i. - HA/V funding may be needed 

a. - Need paperwork for update to firewall - submission expected by 25 Feb 
o Expected completion was 29 Feb; now delayed to TBD 

m SSH connectivity 

a> Short term: via BLUEBOX CA Servers at Pentagon - done 

o Longer term: via deployment of servers within the NTOC enclave that connect to CA Servers in the field 

GALLANTWAVE Targeting Challenges 
a, MAILORDER/Ni-FI not yet available 
a Mitigation: Manually load static targeting files 
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CA Capabilities Planned for NCC-3 Test 

Events 



Capability 


DT/OA 2 (June 2012) 


DT/OA 3 (June 2013 
) 


Defensive 

Sensor 


SIGINT 

Sensor 


Defensive 

Sensor 


SIGINT 

Sensor 


CA Reinjection 




DGO 


TTENT 


DGO 
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Near-term Schedule 



Capability 


Date 


GW-R Gate 2 


Done (15 Feb) 


GW-R Gate 3 


Done (29 Feb) 


GW-R Gate 5 


31 Mar 


GW-R Deploy to U sites 


May 


ITx Dev Fabric at NetDef sites 


29 Feb + 


CA Server ssh connectivity 


Done via 
Bluebox 


Initial Live Dev Test TURTLEZOO 


-May 


GW-R Core 4.0 


May 


GW Core 4.0 


May 


ITx Live Fabric 


TBD 
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Players 



BACKUP SLIDES 
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CCA Capabilities Planned for NCC-3 Test 

Events 



Capability 


DT/OA 2 (June 2012) 


DT/OA 3 (June 2013) 


Defensive 

Sensor 


SIGINT 

Sensor 


Defensive 

Sensor 


SIGINT 

Sensor 


NETFLOW 


Full Netflow 


Pretty Good 
Netflow 


Full Netflow 


Full Netflow 


BLUESNORT (updates) 


Yes 




Yes 


Yes 


FULL SNORT 


Yes 


No (Core 4) 


Yes 


Yes 


POPQUIZ 






Yes 


Yes 


Performance Testing 


Yes 




Yes 


Yes 


Wireless reinjection 


N/A 


Yes 


N/A 


Yes 


CA Reinjection 




Yes 


Yes 


Yes 


Cyber Tasking 


Yes 


Partial 


Yes 


Partial 


Updated Cloudshield Interface 


Partial 


N/A 


Yes 


Yes 


Metrics and Monitoring 


Yes 




Yes 


Yes 



Orange items are being revisited. Requirements without explicit TML Core 4 dependency 
need mission documentation to justify not being covered in DT/OA 2. 
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(S//REL) Dynamic Defense Logical Diagram 



CD 



INTERNET 



(S//REL) 



Active Response 
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Network 

Interface 
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Packets 





Legend: 



Protected Internal Network 



Detect 
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BUSINESS 


DISTRIBUTION 




LOGIC 



Decide 
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TUMULT 
(T 113) 


TURMOIL 
(Til 2) 


TUTELAGE 

(Till) 


NTOC 

(VSPO) 
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CoreSSC gets UTT updates, trig^4AhJA©Erl^ets I 
GW-TargetManager responds to ! oa d Tai fg ets re quest 
from CoreSSC, pulls the GW IP addresses from the 
Targeting database; issues control-flow messages 
for each IP:Port combination and sends periodic 
updates for those. 

FCP responds to control-flow messages by 
promoting all packets to/from the targeted IP:port 
combinations, and PacketRouter ensures these 
packets are sent to GW-FIP for sessionization. GW- 
FIP outputs 'raw' SOTF session-fragments to the 
TE-GW service on the same host. 

GW-SessionFilter identifies sessions containing 
target technology-of-interest by applying an 
appropriate appld tag to each session-fragment. 
GW-FragmentFilter removes session-fragments not 
containing an appropriate appld for the target 
technology-of-interest. Additionally, as a work- 
around for an issue in FIP 3.1.10, erroneous 
session-fragments missing a specific metadata 
filed are removed. GW-MI applies SRI obtained 
from Dfid Allocator. 

SECRET//COMINT//<REGW€MI applies SRI obtained from the DFID 
USA, FVEY allocator. 
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CAServer 



Delivery to both XKEYSCORE and 
Stage 1 Prime Reinjection 
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TURMOIL 

Stage 1 Prime Reinjection 



i Stage 1 Prime 
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